Spam Law Now In Effect
The Can-Spam Act of 2003 (“CSA”) took effect on January 1, 2004. The law regulates the transmission of commercial electronic mail messages (“commercial e-mail”).
Commercial E-mail
The CSA defines commercial e-mail as an electronic mail message that has the primary purpose of advertising or otherwise promoting a commercial product or service. Congress intended the law to be broad in scope. An e-mail sent to promote the content on a web site operated for a commercial purpose is regulated under the CSA. The mere inclusion of a hyperlink, however, in an otherwise non-promotional e-mail does not render the message commercial e-mail, within the meaning of the CSA. The CSA gives the Federal Trade Commission (“FTC”) rulemaking authority to further define “primary purpose.”
“Transactional or relationship messages” are not commercial e-mail and are exempt from most requirements of the CSA. Transactional or relationship messages are electronic mail messages that: (1) facilitate, complete or confirm a commercial transaction; (2) provide warranty information, product recall information or safety or security information with respect to a commercial product or service; (3) provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved or enrolled; (4) deliver goods or services that the recipient is entitled to receive under the terms of the transaction; or (5) notify the recipient of a change in the terms or status of an on-going commercial relationship, such as a subscription or membership, or an account statement related thereto. The CSA gives the FTC the authority to initiate a rulemaking to further define the criteria for transactional or relationship messages.
Compliance Requirements
The CSA mandates disclosures for all commercial e-mail. Commercial e-mail must identify that the e-mail is an advertisement or solicitation. The CSA permits leeway in that regard, but the disclosure must be clear and conspicuous. Transactional or relationship messages, or e-mails the recipient has consented to receive, are not required to contain this disclosure.
The CSA requires that a commercial e-mail contain an opt-out mechanism for the recipient to decline receipt of future e-mails. The commercial e-mail must contain a clear and conspicuous notice of the opt-out mechanism.
Commercial e-mail messages must contain a valid physical postal address of the sender. It is unclear whether a P.O. box satisfies this requirement. The FTC is likely to offer guidance on that issue in a rulemaking or through compliance materials.
The CSA mandates warning labels on all commercial e-mail messages that contain sexually-oriented material. This requirement does not apply to messages where the recipient has previously given consent to receipt of the e-mail. The FTC has rulemaking authority to prescribe the exact marks or notices within 120 days of enactment of the CSA.
Prohibitions
The CSA contains several prohibitions. The law prohibits the transmission of e-mails containing false or misleading transmission information. This provision extends over the use of a third-party’s legitimate e-mail address by high-jacking it and transmitting e-mail from it. It is unlawful for a business to allow the promotion of its trade or goods using misleading header information if the business knew about the use and took no action to prevent the transmission. Similarly, subject headings that are misleading constitute a violation if the transmitter had actual knowledge, or knowledge “fairly implied,” that the heading was misleading.
The CSA prohibits the collection or creation of e-mail addresses using certain technologies. Accordingly, the CSA does not permit “harvesting” – the collection of e-mail addresses from a web site when the web site posts a notice that it does not transfer e-mail addresses to any other party. Further, e-mail addresses may not be generated by combining numbers and/or letters by automated means to conduct a spam campaign in a practice referred to as a “dictionary attack.” The CSA also prohibits the use of scripts to register for multiple e-mail address accounts and the use of unauthorized access to a computer to conduct e-mail campaigns.
Enforcement
The FTC is the primary government agency charged with enforcing the CSA. Violations of the law constitute an unfair or deceptive act or practice under the FTC Act. The CSA authorizes the FTC to use its enforcement authority as provided under the Act. Accordingly, the FTC is able to obtain equitable remedies, such as injunctive relief, consumer redress and disgorgement, as well as civil penalties for rule violations.
Other federal and state organizations have enforcement rights under the CSA. Typically, agencies, which have jurisdiction in industries where the FTC does not, are able to bring suit under the CSA. For example, the SEC, the Federal Reserve and the FCC may bring suit for CSA violations by regulated parties. State authorities, such as the attorneys general, also have enforcement authority. Independent service providers are the only private parties afforded any right of action under the CSA.
Criminal penalties are available for egregious violations. The CSA makes it a crime to send commercial e-mail with false header information, to access an unauthorized computer to send commercial e-mail, or to register for multiple e-mail accounts, falsifying the actual identity of the registrant.
Application of the CSA to Non-Profit Organizations
The CSA’s application to non-profit organizations is still under consideration, both by Congress and the FTC. There has been no official statement that non-profits are exempt from compliance requirements, based solely on non-profit status. As noted above, the CSA broadly regulates the transmission of commercial e-mail that has the primary purpose of advertising or promoting a commercial product or service. The CSA does not further define “commercial” and does not expressly exempt particular entities. Therefore, any clarification or exemption regarding non-profits must stem from subsequent instruction from Congress or result from a lack of general FTC jurisdiction.
To date, Congress has not commented on how the CSA applies to non-profits, but may issue additional reporting language to clarify the subject in the future. Officials at the FTC have indicated that they are currently unaware whether Congress will issue such additional information.
As to the question of FTC jurisdiction, the FTC has jurisdiction over a corporation if it is “organized to carry on business for its own profit or that of its members.” Recent FTC case law has affirmed that FTC jurisdiction over a non-profit membership organization that consists of for-profit members is proper if the organization conducts activity that enhances its members’ profits, for example, by conducting litigation, lobbying, marketing or public relations. An organization that is devoted merely to professional education, by contrast, is less likely to fall within the FTC’s jurisdiction. Presumably, jurisdiction will be determined based on past interpretations, but the FTC may clarify its position on this matter using its general rulemaking authority provided to it in the CSA or by additional statements regarding compliance.
The CSA also grants enforcement authority to state agencies. To the extent that state agencies have jurisdiction over non-profits, enforcement under the CSA may be carried out at the state level.
Until the issue is clarified, it is recommended that non-profits comply with the CSA.
Preemption
The CSA preempts all state laws that regulate the transmission of e-mail, including the California statute that would have prohibited unsolicited commercial e-mail as of January 1, 2004.
The CSA does not preempt any law that prohibits falsity or deception in any portion of a commercial e-mail. It also does not preempt state laws relating to trespass, tort, acts of fraud, or computer crime.
Do-Not-E-mail Registry
The CSA authorizes the FTC to explore the creation of a “Do-Not-E-mail” registry, similar to the one already in effect for telemarketing calls. The FTC has indicated that it does not support such a registry for e-mail. The FTC must submit a report concerning potential implementation of the registry within six months of enactment of the CSA.
